New research shows 172 ransomware attacks have targeted U.S. health care organizations since 2016, costing more than $157 million and impacting nearly 1,500 facilities and more than 6.6 million patients.

According to research conducted by Comparitech, 74% of organizations affected were hospitals or clinics, and the remaining were IT providers (5%), elderly care providers (7%), dental (5%) or optometry practices (6%), plastic surgeons (2%), medical testing (2%), health insurance (1%), government health (1%) and medical supplies (1%).

Ransomware amounts vary from $1,600 to $14 million, and downtime varies from hours to weeks and even months.

Paul Bischoff, privacy advocate with Comparitech, tells us cybersecurity providers and MSSPs are ready and willing to lend their services, but not all hospitals have the time, money and willingness to invest in them.

Comparitech’s Paul Bischoff

“On top of that, no amount of cybersecurity technology will prevent a negligent staff member from clicking on a link in a phishing email,” he said. “In most successful ransomware cases, human error plays a leading role.”

California had the most ransomware attacks by far, accounting for 14.5% of the attacks from 2016, while Texas had the second-highest number with 14 attacks in total. Maine, Montana, New Mexico, North Dakota and Vermont aren’t recorded as having any.

“Population is the No. 1 factor,” Bischoff said. “Some health care providers are incorporated in a particular state, but have patients across the United States, which skews the numbers a bit. Lastly, not all states had breach notification laws prior to 2018, and our data goes back to 2016, so it’s possible some states suffered attacks that weren’t reported.”

Michigan is the worst state for the number of patient records at risk, according to Comparitech. Nearly 1.1 million people were affected in the Wolverine State by two ransomware attacks; however, these two attacks relate to Airway Oxygen, a medical supply company, and Wolverine Solutions Group, a medical billing company, based in the state. This means some of the affected patients live in different states.

In California, 753,000 patient records were exposed and many of those came from hospital networks operating in the area. Two of the main culprits were Pacific Alliance Medical Center where 266,123 patients’ records were affected in June 2017, and Centerlake Medical Group, where 197,661 patients’ records were affected in February 2019.

In 2016, there were 36 ransomware attacks on U.S. health care organizations, followed by 53 in 2017. In 2018, the figure dropped to 31, making this the lowest year for attacks overall. Last year, the figures rose again to 50.

At least two health care providers have shut down permanently due to ransomware attacks. With the cost of restoring their systems being far too great, they have been left with no other option but to close their businesses, according to the research.

The average downtime caused by a ransomware attack is 16 days; however, this is often for large organizations, and would be different for the smaller clinics and practices.

“Hospitals and other health care providers need to train all staff to spot and handle phishing messages,” Bischoff said. “These usually come through email and contain links or attachments that download malware. They might also lead to fake websites where staff enter their usernames and passwords, which attackers can then use to gain access to hospital systems. Phishing messages impersonate trusted personnel and authority figures to trick victims into clicking links, downloading malware, or handing over private info. Phishing attacks are cheap, easy to pull off and difficult to trace, which means cybercriminals can use them relentlessly, and they only have to work once.”

Hospitals and health care providers also need to make regular, secure backups of data, he said. If ransomware affects the main system, these backups should be unaffected and ready to go. If done correctly, downtime is minimal and the hospital doesn’t have to pay the ransom, he said.